Daily Brief

Nucor, North America’s largest steel producer, confirmed a data breach involving stolen data from its systems. The incident led to the shutdown of certain production operations at several locations as a precautionary measure. Following the breach, Nucor notified law enforcement and engaged external cybersecurity experts to aid in recovery and investigation. The breach caused temporary limitations on access to some IT applications affecting operational aspects. The company confirmed that “limited data” was exfiltrated by the attackers and is currently assessing the impact. Nucor has restored access to affected systems and believes the threat actors no longer have access to its network. The company has committed to notifying all potentially affected parties and regulatory bodies as necessary. Details regarding the specific type of attack or whether ransomware was involved remain unclear.

The UK Cyber Monitoring Centre (CMC) estimates the financial impact of recent cyberattacks on major UK retail to be between £270-440 million. Significant attacks targeted well-known stores such as Marks & Spencer, the Co-op, and Harrods, although Harrods sustained less damage due to continued operation. The CMC categorizes these incidents as category 2 systemic events, with severe implications for the directly affected companies and their network of suppliers and partners. While online sales for M&S were severely disrupted, leading to a notable drop in daily revenues, the Co-op experienced a lesser financial impact but a broader regional effect. The event had a marked impact on contactless and online payments, demonstrating the operational vulnerabilities businesses face from cyber threats. This incident marks the first applied use of the CMC's cyber event grading scale, introduced to clarify and manage systemic cyber risks and insurance claims. The ongoing implications of such cyberattacks are prompting discussions about national security and the need for enhanced cyber resilience strategies.

High incidence of burnout in SOCs due to fragmented tools, extensive workflows, and repetitive tasks amidst understaffing. SOC teams often consist of only 2-10 full-time analysts who manage a broad scope of infrastructures, from on-premises systems to cloud-based and SaaS platforms. Traditional methods of automation in SOCs are insufficient, relying on brittle playbooks that falter when unexpected scenarios arise. AI-powered automation can drastically improve SOC efficiency by acting as a contextual aggregator, reducing the manual burden on analysts, and enhancing decision-making processes. AI introduces adaptive automation, enabling more versatile responses to security threats and dynamic workload management based on real-time context. AI also supports analysts' skill development and job satisfaction through real-time feedback, fostering a more supportive and growth-oriented work environment. Enhanced AI capabilities allow SOC leaders to better manage team performance by providing insights into analysts' work patterns and identifying areas of improvement. The potential of AI to alleviate stress and reduce burnout in SOCs promotes better retention and job satisfaction among security analysts.

Google has introduced multiple security measures to protect its generative AI systems from indirect prompt injection attacks, which manipulate AI with hidden commands in external data like emails or documents. These attacks could potentially lead to data exfiltration or other malicious activities by tricking AI systems. The company has implemented a layered defense strategy to increase the complexity and cost of successful attacks, including model hardening and machine learning models designed to detect malicious instructions. Additional safeguards have been integrated into Google’s flagship GenAI model, Gemini, to enhance its resilience against such cybersecurity threats. However, adaptive attacks that evolve with automated red teaming efforts are proving capable of bypassing these defenses, highlighting the need for robust, multi-layered security across all aspects of AI systems. Recent research has shown that large language models (LLMs) can be used by adversaries for more precise extraction of sensitive information and to create targeted fake web pages. Studies also suggest that while AI models are becoming proficient in automating certain security tasks, they still face challenges with more complex vulnerabilities like system exploitation and model inversion. The evolving capabilities of AI models underscore the importance of continuous advancement in AI security to counteract emerging threats and exploit techniques.

Cloudflare successfully blocked the largest DDoS attack recorded at 7.3 Tbps, targeting an unnamed hosting provider. The monumental attack utilized 37.4 terabytes of data within 45 seconds, originating from over 122,145 IP addresses across 161 countries. Major sources of the attack traffic included Brazil, Vietnam, Taiwan, China, and several other countries. The report underscores the importance of robust cybersecurity measures and the continuous threat of DDoS attacks on global infrastructure. Recommendations include timely software updates and patching critical vulnerabilities listed, like CVE-2025 series affecting various software. The article also emphasized the potential security risks in using SCCM without appropriate safeguards and configuration. Provides a call to action for improving security protocols, regular credential rotations, and network segmentation to prevent silent domain takeovers.

Former US Army sergeant Joseph Daniel Schmidt has pleaded guilty to attempting to sell classified military data to China using his former top-secret clearance. Schmidt's efforts to contact the Chinese government were poorly executed, using personal email addresses and publicly searchable questions related to espionage. He faces up to 10 years in prison and a $250,000 fine for his actions. Separately, 5.4 million healthcare records from the firm Episource were stolen, including sensitive personal and medical information. New vulnerabilities in Linux and XML parsing libraries pose significant threats to system security, with some still unpatched. The use of AI in spam emails has improved quality, making malicious emails harder to detect. Critical vulnerabilities in Citrix products and TP Link Wi-Fi routers have been addressed, but patches are urged for several exploited flaws.

CoinMarketCap, a popular cryptocurrency tracking site, was compromised in a supply chain attack, resulting in a crypto wallet drainer campaign. On January 20, visitors experienced unauthorized Web3 popups prompting them to connect their crypto wallets, which led to the theft of cryptocurrency. The attackers injected malicious JavaScript through a vulnerability in the site's homepage "doodle" image. The malicious script executed a fake wallet connect popup with CoinMarketCap branding, deceiving users into a transaction that drained their wallets. Cybersecurity analysis revealed the attack was executed by modifying the API for retrieving homepage images, inserting a malicious script that pulled wallet-drainer code from an external server. The attack compromised 110 victims, stealing a total of $43,266, with the attackers communicating in French on a Telegram channel. In response, CoinMarketCap removed the problematic content, secured the vulnerability, and assured users the site is now secure.

Oxford City Council experienced a data breach impacting systems containing two decades of data. Personal information of former and current council officers, specifically involved in elections from 2001 to 2022, was accessed. While most systems have been restored, some service delays persist due to existing backlogs. Initial investigations reveal no evidence of widespread data dissemination or mass data extraction. Affected individuals are being contacted directly with information about the breach and support resources. The council has notified relevant government and law enforcement agencies about the breach. Increased security measures are being implemented to strengthen systems against future attacks. The breach did not reportedly compromise citizen data, focusing instead on personnel associated with election administration.

Russian hackers impersonated U.S. State Department officials in sophisticated phishing attacks to bypass Gmail multi-factor authentication. The attackers targeted academics and critics of Russia, using social engineering to obtain app-specific passwords. Security researchers identified the group as UNC6293, possibly linked to APT29, a known Russian state-sponsored group. The phishing campaign was meticulously planned, involving credible-looking emails and platforms to gain the trust of the targets. Upon deceiving the targets into making app-specific passwords, these were used to gain full access to their Gmail accounts. The campaign utilized residential proxies and VPS to maintain the attackers' anonymity. Google advised targeted users to enroll in its Advanced Protection Program to prevent such breaches.

Hackers are actively exploiting a critical vulnerability in the "Motors" WordPress theme to hijack admin accounts. The vulnerability, identified as CVE-2025-4322, allows attackers to escalate privileges by altering admin passwords without authorization. Wordfence first reported the issue on May 19, 2025, after discovering the flaw earlier in the month, with exploits seen from May 20. Despite a patch released on May 14, many users did not update, leading to widespread exploitation, with over 23,100 attacks blocked by Wordfence by early June. Attackers manipulate the theme's password reset feature using malformed data to bypass security checks and reset admin passwords. Post-intrusion activities include creating new admin accounts for persistent access and potential lockout of legitimate administrators. Observations note the use of specific malicious IP addresses, which Wordfence recommends blocking to mitigate risk. The incident underscores the critical importance of timely application of security patches to prevent unauthorized access and control.

Scattered Spider, a notorious cybercrime group, executed coordinated cyberattacks on UK retailers Marks & Spencer and Co-op in April 2025, causing significant financial damage estimated between £270 million ($363 million) and £440 million ($592 million). The Cyber Monitoring Centre (CMC), an independent U.K.-based body, has categorized these incidents as a single "Category 2 systemic event" due to the similarity in tactics and close timing of the attacks. The cybercriminal group employed social engineering tactics targeting IT help desks to gain unauthorized access, demonstrating sophisticated methods of attack. The attacks had a 'narrow and deep' impact on the targeted retailers, with significant implications for their suppliers, partners, and service providers. Concurrently, Google Threat Intelligence Group highlighted that Scattered Spider has started targeting major US insurance companies, indicating a shift in focus and a potentially broader threat. Tata Consultancy Services (TCS) confirmed that their systems were not compromised in the attack against Marks & Spencer, amid internal investigations on whether their systems were used as a launchpad for the attacks. The Qilin ransomware operation's new strategy involves legal tactics and media manipulation to intensify pressure during ransom negotiations, highlighting evolving cyber threat tactics.

Scammers are manipulating search results to display ads with embedded fake help-desk numbers for companies such as Netflix, Apple, and Bank of America. The fraudulent scheme involves crafting malicious URLs that direct users to legitimate brand websites, yet sneakily incorporate a false phone number into the site’s search functionality. This type of attack, known as search poisoning or SEO poisoning, takes advantage of the search engines' algorithms to promote malicious websites that mimic legitimate ones. Despite leading to the real brand’s domain, these malicious ads escape detection by traditional security tools like Chrome’s Safe Browsing due to their seemingly authentic nature. The scam is facilitated by a flaw in Netflix's and other sites’ search functions that do not properly sanitize input, creating opportunities for reflected input vulnerabilities. Victims are deceived into believing these fake numbers are genuine customer support, leading to potential disclosure of personal and financial information, or even granting remote access to their devices. Malwarebytes warns users about this scam and suggests vigilance, particularly scrutinizing URLs for suspicious terms and encoded characters. Tips to avoid falling victim include being wary of pre-populated phone numbers in search bars and not disclosing sensitive information like username and passwords to unverified sources.

Aflac disclosed a security incident linked to cybercrime group Scattered Spider, revealing unauthorized network access detected on June 12. The breach involved possible theft of sensitive data, including claims details, health information, Social Security numbers, and personal data of various stakeholders. Unlike other similar attacks, Aflac’s network was not stricken with ransomware, and the company contained the intrusion swiftly, mitigating major operational disruptions. The breach appears coordinated with recent attacks on other insurance firms such as Erie Insurance and Tokio Marine, as part of Scattered Spider's focus on the insurance sector. Aflac is collaborating with top cybersecurity experts for incident response and has begun a thorough investigation using indicators linked to social engineering tactics. This series of incidents comes shortly after Google threat intelligence warned the insurance sector of potential cyber threats mirroring the tactics of Scattered Spider. Scattered Spider, known for sector-focused attacks and prior targeting of retail and casino industries, has shown patterns of shifting attack vectors quickly after exploiting one sector.

The Taiwanese cryptocurrency exchange BitoPro linked a $11 million theft of cryptocurrency to the North Korean hacking group Lazarus. BitoPro reported that unauthorized withdrawals were made from an outdated hot wallet system during an update on May 8, 2025. The cyber thieves then laundered the stolen funds using decentralized exchanges (DEXs) and mixers, complicating the tracking process. Initial investigations revealed that the attack methodologies and intrusion patterns resembled those associated with Lazarus in prior global incidents. An internal investigation confirmed no BitoPro employees were complicit, but a social engineering tactic had allowed malware installation on a cloud operations manager’s device. Attackers exploited this malware to hijack AWS session tokens, bypass multi-factor authentication, and control the exchange’s cloud infrastructure. After the compromise was detected, BitoPro secured its systems by shutting down the affected wallet services and rotating cryptographic keys. Following the incident, BitoPro replenished impacted wallets using its reserves and continued operations unimpeded, while cooperating with cybersecurity experts and authorities for thorough investigation and mitigation.

Qilin, a ransomware group, is now offering their affiliates access to lawyers to intensify ransom negotiations, effectively using legal threats to compel payment. These legal advisers are part of a broader strategy to portray a sophisticated criminal operation, aiming to attract more affiliates and increase attack success rates. The lawyers can also orchestrate negotiations, advising victims on the potential maximum damage Qilin could cause if ransoms are not paid. This move is seen primarily as a marketing stunt by cybersecurity experts, questioning the viability and authenticity of such services. In addition to legal services, Qilin claims to have added features like 1 petabyte of storage and capabilities for email and phone spamming, network propagation, and initiating DDoS attacks. Cybereason identifies Qilin as a dominant player in the ransomware-as-a-service (RaaS) industry, noting it has overtaken former leading groups partly due to law enforcement actions. The group has a notorious history of targeting critical infrastructure and is affiliated with Scattered Spider, a group known for significant cyber attacks. Overall, these enhancements to Qilin's affiliate panel mark a shift towards presenting themselves as a full-service cybercrime platform.